Segregating physical ports with VLAN 's on TP-Link

Installing and Using OpenWrt Network and Wireless Configuration
1

Hello

I have a TP-Link router that is on LEDE 17 with the following port configuration
Switch Ports:
0 eth1
1 WAN
2 LAN1
3 LAN2
4 LAN3
5 LAN4
6 eth0
The default config for /etc/config/network for the vlan is

network

config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '0 2 3 4 5'

config switch_vlan
option device 'switch0'
option vlan '2'
option vid '2'
option ports '1 6'

What I want to do (have already done it just need confirmation settings are correct) is separate ports 4 and 5 so they only have access to internet but not to internal network (ports 2, 3 and wifi) so this is what I did
/etc/config/network *note: I dont know if for vlan 1 and 2 if port 0 needs to be tagged

network

config interface 'lan'
option type 'bridge'
option proto 'static'
option ipaddr 'x.x.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option ifname 'eth1.1'

config interface 'lan2'
option proto 'static'
option ipaddr 'x.x.2.1'
option netmask '255.255.255.0'
option ip6assign '60'
option ifname 'eth1.2'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '0t 2 3'

config switch_vlan
option device 'switch0'
option vlan '2'
option vid '2'
option ports '0t 4 5'

config switch_vlan
option device 'switch0'
option vlan '3'
option ports '1 6'
option vid '3'

On /etc/config/dhcp

dhcp

config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'

config dhcp 'lan2'
option interface 'lan2'
option start '100'
option limit '150'
option leasetime '12h'

On /etc/config/firewall *note: I noticed that I needed to set for LAN2 the input to REJECT otherwise if it was set to ACCEPT (input) I could ping between VLAN, can someone confirm I want REJECT
*Note 2: I noticed that if I set input to REJECT then I would not get a DHCP address so I added so config rules (found at the bottom of firewall) for DNS and DHCP, is this necesarry?
*Note 3: I noticed that I also needed to add config forwarding between LAN2 to WAN otherwise there was no internet, is this correct?

firewall

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option network 'lan'

config zone
option name 'lan2'
option network 'lan2'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
config forwarding
option dest 'wan'
option src 'lan2'

config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option src 'lan2'
option name 'lan2 DNS'
option family 'ipv4'

config rule
option enabled '1'
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
option family 'ipv4'
option src 'lan2'
option name 'lan2 DHCP'

Can someone confirm I have set it all correctly

thanks

2

I'll take a shot at it, but never trust anyone's opinion completely without understanding your own configuration yourself.

On tagging, the general rules I use depend on what is going to be connected to the port (including the internal eth0 and eth1)

  • "Dumb" or non-VLAN-aware device -- untagged (always)
    • PVID needs to be set to the internal VLAN you're using in the switch
  • Single VLAN-aware device -- tagged ("always")
    • PVID shouldn't matter since you shouldn't be getting any untagged packets in. Safest to set to a "dead end" VLAN that isn't connected to anything
  • Trunking -- evertyhing tagged (personal choice, why mess with untagged packets?)
  • As just above, PVID shouldn't matter, set to dead-end VLAN

A couple "gotchas" about the Archer C7 switch:

If you want a VLAN tag above 127, you need to use a VLAN of 127 or below and give it a VID with the VLAN tag you want. I explicitly call out my VID in my config so I am less likely to forget. swconfig dev switch0 show is helpful to confirm that the config "took". swconfig dev switch0 help gives some general information of what you can set, and what values might be accepted (well, more on what will be rejected for being out of range).

In general, VLAN 0 is a special "no VLAN tag" tag, where only the priority is used. VLAN 4095 is the "real" dead-end VLAN, which never should end up going beyond the switch fabric. I haven't been successful in using it as the "untagged packets to the bit bucket" VLAN on the Archer C7 yet, but may go back to that later.VLAN 1, for other switches, is often the default management VLAN, or the "voice" VLAN, so I personally don't use it.

OK, on to your config...

eth1.1 is on VLAN 1 and is bridged to your "lan" -- that means the switch will see VLAN 1 packets and needs to send VLAN 1 packets to "talk" with the br-lan interface.

eth1.2 is on VLAN 2 and is bridged to your "lan2" -- similar to above

  • Looks like you're missing an option type bridge in that declaration

Switch port 0 is physically connected to the phy of eth1so the declaration of 0t 2 3 and VLAN of 1 looks correct for "dumb" clients on wireless and on LAN1 and LAN2 and br-lan

Similarly the declaration of 0t 4 5 and VLAN of 2 looks correct for "dumb" clients on wireless and on LAN2 and LAN3 and br-lan2

Your declaration of 1 6 and VLAN of 3 "wires" your WAN port into eth0, which is typical for Archer C7s used as routers.

Personally, I pick my own VLAN tag and assign them with option vid 100 or the like, since I trunk them all over the place, but that's a style/interoperability choice. Since you're keeping them within the switch, what you've got is fine.

Perhaps someone that uses UCI-configured firewalls can comment on your rules.

As I use different firewall tooling and don't do any "routing" on my OpenWRT devices, I'm not really qualified to do much more than provide general guidance.

You probably want to explicitly prohibit any traffic between "lan" and "lan1". If so, you'll need a different address space (and DHCP) for each of those so that the routing table knows which way to send a return packet after it's gone through NAT. It looks like you've got that addressing and DHCP set up, but I don't run DCHP services on my OpenWRT boxes, so I can't 100% say "that's right".

1 Like
3

Thanks Jeff, just some questions and some thanks

This was a very helpful command, thanks

Thanks I have set to to bridge, but what happens if I leave it disabled, Vlan2 is for my streaming box so it doesnt need access to anything internal

I'm still struggling with this part, so do I even need to tag port 0 (0t) for LAN1(internal) or even LAN2(external)

But it doesn't matter that I changed ports '1 6' to vlan3 instead of the default vlan2 right?

Did you mean "lan1" and "lan2" if that is the case then yes, they are on there own subnets

I hope someone can comment on my firewall settings

4

I'm not at all sure what that means. Even if you're not accessing it directly, it will likely need an IP address, DNS service, and transport. For most people, those are going to come from the OpenWRT box either directly or indirectly. Given the config, I think you're saying that the only connection it needs is to an interface on the OpenWRT box. OpenWRT is pretty "free" with its use of bridges. Yes, if aren't going to every bridge over eth1.2 then you can probably static-assign it. For Linux bridges, you can't assign IP addresses to its members, you have to use the pseudo-interface of the bridge.

Yes, you have to tag egress packets destined for eth1.1 and eth1.2 otherwise the interface will get them on eth1 and not be able to make any sense of which VLAN they belonged to.

As far as "wiring" together port 1 and 6, the vlan doesn't matter as long as it's valid and not used somewhere else. Neither end of the wire sees it -- the PVID adds it to untagged packets on the way in, and it gets stripped on the way out.

5

Hi Jeff, vlan2 (stream box) is only meant to access internet an not my internal printer or other devices, yes vlan 2 has been set to do dhcp for the box and dns, I added those two services to the firewall config otherwise I wouldn't be able to reach any websites